Lecture 6 

Primality, Factoring, RSA, Hensel's Lemma 



CRT and the number of solutions - we have a congruence 

ttkx'^ + ak-ix''~^ H + ao = (mod n), ai 

We want to know all solutions mod n, and in partictilar the number of solutions. 
Write n = pl'^pl^ . . .p^^. Then solving the congruence mod m reduces to solving 
it mod p|* for all i. If x satisfies the congruence mod n then it is a solution of the 
congruence mod p'^' for all i. Conversely if xi is a solution mod pl^ and X2 is 
a solution mod etc., then the CRT says that there exists a iinique x mod n 
such that x = Xi mod p^* for all i. 

Now for this a;, X = mod p^', so 

akx'^ + ak-ix''~^ H h ao = o.kX^ + ak~ix^~^ H h ao 

= (modjjf) 

Therefore a; is a solution mod n, so this process gives a bijection. 

{solutions 1 J solutions 1 J solutions 1 /solutions \ 
modpi' j \modp2^ /■■■\modp^'- j Imod n J 

In particular, the total number of solutions mod n is 

r 

JJ # of solutions mod p?' 

i=l 

Primality Testing: Given n, we want to determine if n is prime or composite. 
Input n has log n digits. We call an algorithm efficient if it's poljmomial in input 
- in this case, poly(log n) steps. Obvious algorithm is to divide by every prime 
starting from 2 to [-y/nj, which is 0{y/n) steps, or cxp(i logn). 

Test using Fermat's Little Theorem - if n is prime and n \ a, then a"~^ = 1 
mod n. 

1. Pick an integer a e {2 ... n — 1}. 

2. Compute (a, n): if it is > 1, then n is composite. 

3. Otherwise compute a"~^: if ^ 1 mod a then done, n is composite. If 
= 1 mod n, then is inconclusive. Coiild try another random a. There are 
composite numbers that satisfy a"~^ = 1 mod n for all (a, n) = 1 (eg., 
561) called Carmichael nimabers. 
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Refinement: if o" ^ = 1 mod n, compute a (since n — 1 is even). If n is 
prime, must equal ±1 mod n. 

If ^ ±1 mod n, then n is composite 

= — 1 mod n, then inconclusive, go to another a 

= 1 mod n and 4|n — 1, then repeat with 

If n passes all these tests for a given a, n is a strong pseudoprrme to base a. If n 
is prime, it's going to pass all these tests. If n is composite, it's pseudoprime to 
base a for at most | of all possible a (usually much smaller). 

So if we pick a random a mod n then n will pass the test with probability at 
most |. If it passes, then pick another random a. The probability of n passing k 
tests will be at most {\)^ , which decreases exponentially with k. And so if you 
do c log n trials, the at most probability goes like ^ . So if n passes c log n trials 
(for some large enough c « 100), then probability that n is prime is very close to 
1. 

This is poly(log) steps, but we want a deterministic algorithm. Solved in 2002 
by AKS (Agrawal, Kayal, Saxena). The main idea is that n > 2 is prime if and 
only if 

(a; — a)" = x" — a (mod n) as poljmomials 

Check different values of a, but there are n possible choices of a and expansion 
is slow. Way to avoid is with CRT by looking at both sides mod n and modulo a 
small degree polynomial. 

Factorization If n is composite, how do we factor in poly(log n) time. The 
obvious way is to divide by aU, which is 0{y/n). 

Pollard Rho Let f{x) = + 1. xo = l,x\ = fixa) mod n,Xn = /(x„_i) 
mod n gives the sequence xo,xi, . . . Xi. Heuristic: if n = pm, with small p then 
this sequence will start repeating mod p earlier than mod n. So if Xj = Xi mod p 
but not mod n, then (xj — Xj , n) will give a factor of n. 

In practice only need to compute Xk and X2k, X2k and x^k, etc., and check gcd. 
Heuristic: if p is smallest prime factor of n, we expect to get a factor of n using 
this algorithm in about steps. 

Elliptic curve based factoring gives cxp(c^/log n log log n) . Number field sieve 
gives exp(c(logn(loglogn)^)3). We still don't have an efficient algorithm for 
factoring, a fact that much of modem cryptography is based on. 

Cryptography - RS A Alice and Bob (A and B) want to pass messages, and Carol 
is eavesdropper. A can send a message to B, converted into bits - equivalent to 
sending an integer m. Wants to encrj^t the number so C can't understand it. 
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Obvious method is to use a shared key model, where A and B have some shared 
key. With a message m, A can send m + k, or m ® k (where ® is the bitwise 
exclusive OR). B can decrypt the message by subtracting k: {m + k) — k = m, 
{m (B k) (B k = m. This is not so good if we want to send multiple messages - if C 
sees mi + k and m2 + k, then C can figure out nii — m2, which gives her some 
information about mi and m2, which is bad. This is also not efficient (number 
of keys needed grows quadratically as number of members to pass messages 
between increases). 

Instead, use public key cryptography. One model is RSA (Rivest, Shamir, 
Adleman). The idea is that B generates two large primes p and q of about equal 
size. Set N = pq. 

(b{N)^cP{p)cP{q) = {p-l){q-l) 

Then B chooses e coprime to (p{N) and computes / = mod (p{N). B pub- 
lishes N and e as his public key. If A wants to send message m, assiiming 
that < TO < (if not, then we break into chunks), and (m, A^) = 1. A then 
computes m'^ mod N and sends it to B, who decrypts it by computing {m'^)^ 
mod N. The idea is that 

fe = 1 (mod (1){N)) 
= 1 + k(l){N) 

= to(to*W)'= 

= ml'' (mod N) 

= to (mod N) 

f is secret, so C has no way to compute m from - this relies on the hardness 
of factoring. 

Hensel's Lemma - this is a way to solve congruences mod p^ if we know solu- 
tions mod p (analog to Newton's Method for finding roots of pol5momials). 

Theorem 26 (Hensel's Lemma). Suppose that f{x) e /(o) = mod p>, 

and f'{a) ^ mod p. Then there's a unique t mod p such that f{a + tp^) = 
mod p'^^. That is, there's a unique solution b mod p^^^ which is congruent to a mod 
p' , (ie., b reduces to a mod p', a lifts to b mod p'~^^). 

Proof. We're looking for solutions b = a + tp^ where tG{0,l,...p— l}to the 
congruence mod p'^^. Want to see if one of these t works. Use Taylor expansion 
around a: 

f{a + tjP) = f{a) + tpif\a) + ^/"(a) + • • • + 
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Lemma 27. 

/(a + tpi) = f{a) + tp^f'ia) mod if j > 1 

Proof. is an integer if / is a polynomial with integer coefficients, and so 
follows after we see that p"-' = mod □ 

(Cont'd next section) 
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